The infection chain starts with the compromised site containing the Afraidgate script. It can be a little difficult to tell which script will return the iframe if you’re not use to looking at normal network traffic. Here is the Afraidgate script on the compromised site:

The response from the server contains compressed data so I extracted the file. Below is a picture of the response from the server and the file containing the malicious iframe:

The URL in the tags redirects the host to the Neutrino EK landing page. Again, the response from the server shows it’s being compressed but here is what the HTML looks like:

The landing page is where the host gets it’s next instructions, which is to download the SWF exploit:

Then, like always, there is a GET request for anHTML file 0 bytes in size. I’m still not sure why Neutrino EK uses this technique but I’m certain there is a purpose behind it:

Following that the host makes the GET for the Locky payload:

The payload is dropped into the Temp folder and deletes itself once the system has been infected. Here is the payload that was dropped on the system:

Once executed the file deletes itself and the ransom notes begin to popup on the Desktop and in numerous folders:

Checking for post-infection traffic I found the following POST requests:

188.127.249.32/data/info.php
95.85.19.195/data/info.php

I would recommended blocking the EK and callback IPs on your network perimeter firewall(s).